Category Started On Completed On Duration Cuckoo Version
FILE 2014-07-09 13:05:08 2014-07-09 13:07:02 114 seconds 1.2-dev
Machine Label Manager Started On Shutdown On
machine4 xpmachine4 VirtualBox 2014-07-09 13:05:09 2014-07-09 13:07:01

File Details

File name phphotoset.scr
File size 93696 bytes
File type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
CRC32 E6B74F2B
MD5 979698d4620fb7dd0a930ef46e0e36f2
SHA1 21f6cfbf3342189fb01c41251504a1ff2fe9dd1b
SHA256 4d3ae7790c6fec8a6524280a7451be5aa5ba20f8018aa14a99e107154dfef73a
SHA512 5a3d1a96728b0c1bbbbbc9a90f3e0c25e0fb87ed9bec50cf462bdf2b73da3b9e71440823551f27e6e5dfd4f8f2ee12389c811f1574445eca4727672a068b7ddb
Ssdeep None
PEiD None matched
Yara None matched
VirusTotal Permalink
VirusTotal Scan Date: 2014-07-09 15:36:06
Detection Rate: 0/54 (Expand)

Signatures

The binary likely contains encrypted or compressed data.
Creates an Alternate Data Stream (ADS)
Installs itself for autorun at Windows startup

Screenshots

Static Analysis

Version Infos

Sections

Imports

Strings

Dropped Files

Nothing to display.

Network Analysis

Hosts Involved

Behavior Summary

Files
  • C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
  • C:\WINDOWS\Microsoft.NET\Framework\\*
  • C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\clr.dll
  • C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
  • C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\clr.dll
  • C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
  • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\clr.dll
  • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
  • C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\clr.dll
  • C:\DOCUME~1\TDW\LOCALS~1\Temp\phphotoset.scr.config
  • C:\DOCUME~1\TDW\LOCALS~1\Temp\phphotoset.scr
  • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\machine.config
  • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\security.config
  • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
  • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config
  • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
  • C:\Documents and Settings\TDW\Application Data\Microsoft\CLR Security Config\v2.0.50727.42\security.config
  • C:\Documents and Settings\TDW\Application Data\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch
  • C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index12.dat
  • C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
  • C:\DOCUME~1
  • C:\DOCUME~1\TDW
  • C:\DOCUME~1\TDW\LOCALS~1
  • C:\DOCUME~1\TDW\LOCALS~1\Temp
  • C:\DOCUME~1\TDW\LOCALS~1\Temp\phphotoset.INI
  • C:/DOCUME~1
  • C:/DOCUME~1/TDW
  • C:/DOCUME~1/TDW/LOCALS~1
  • C:/DOCUME~1/TDW/LOCALS~1/Temp
  • C:\WINDOWS\assembly\pubpol1.dat
  • C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
  • C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.INI
  • C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.INI
  • C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.INI
  • C:\WINDOWS\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.INI
  • C:\WINDOWS\system32\l_intl.nls
  • C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
  • C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.INI
  • C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
  • C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll.101.Manifest
  • C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll.101.Config
  • C:\Documents and Settings\TDW\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
  • C:\WINDOWS\FONTS\MICROSS.TTF
  • C:\Documents and Settings\TDW
  • C:\Documents and Settings\TDW\LOCALS~1
  • C:\Documents and Settings\TDW\Local Settings\Temp\phphotoset.scr
  • C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
  • C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
  • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
  • C:\DOCUME~1\TDW\LOCALS~1\Temp\phphotoset.scr:Zone.Identifier
  • PIPE\lsarpc
  • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.504.19330217
  • C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.504.19330217
  • C:\Documents and Settings\TDW\Application Data\Microsoft\CLR Security Config\v2.0.50727.42\security.config.cch.504.19330247
  • C:\WINDOWS\system32
  • *.dll
  • C:\
  • C:\WINDOWS\system32\msiexec.exe
  • C:\Documents and Settings
  • C:\Documents and Settings\All Users
  • C:\DOCUME~1\TDW\LOCALS~1\Temp\PHPHOT~1.SCR
  • C:\DOCUME~1\ALLUSE~1\msibxur.exe
Mutexes
  • Global\CLR_CASOFF_MUTEX
Registry Keys
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\\v4.0
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
  • HKEY_CURRENT_USER\Software\Microsoft\.NETFramework\Policy\Standards
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\Standards
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\Standards\v2.0.50727
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
  • HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\mscorwks.dll
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
  • HKEY_CURRENT_USER\Software\Microsoft\Fusion
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1935655697-1606980848-1060284298-1003
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index12
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\3c74e9a9\1
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\319545b3\1
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3897046b\4e120806
  • HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\52628d2e
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\69db6748
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\69db6748\11
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\2995e574\9
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\291a02d0\7
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\3914f670\25
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\67e63d5c\6
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4426ac2f\21
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\7f729234\e
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\268e923b\24
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\1d498232\8
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\6e9ac653\8
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\31de29a4\b
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\3fcdfaca\10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\432ba598\3d75b7fc
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
  • HKEY_CURRENT_USER\Software\Microsoft\GDIPlus
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_CURRENT_USER\EUDC\1252
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2ff05403\4347f54d
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1935655697-1606980848-1060284298-1003\Installer\Assemblies\C:|DOCUME~1|TDW|LOCALS~1|Temp|phphotoset.scr
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|DOCUME~1|TDW|LOCALS~1|Temp|phphotoset.scr
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|DOCUME~1|TDW|LOCALS~1|Temp|phphotoset.scr
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1935655697-1606980848-1060284298-1003\Installer\Assemblies\Global
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\2ff05403\4904e667
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
  • HKEY_CLASSES_ROOT\AppID\phphotoset.scr
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName
  • ActiveComputerName

Processes

registry filesystem process services network synchronization

phphotoset.scr PID: 504, Parent PID: 368

phphotoset.scr PID: 1388, Parent PID: 504

msiexec.exe PID: 520, Parent PID: 1388

Volatility

Nothing to display.